Title: Identity Theft Prevention Program
Responsible Department: University Risk Management
Magsino, Chique Lingao
Director of Risk Management
Effective Date: 2009-05-16
Next Review Date: 2019-06-30
Approval Date: 2015-02-09 15:15:59.0
May 16, 2009 - WesternU Board of Trustees reviewed and approved this policy.
16 Code of Federal Regulations 681.2
It is the policy of WesternU to establish and maintain Covered Accounts in accordance with the Federal Trade Commission (FTC) "Red Flag Rules" in a manner that reasonably protects against foreseeable risks of identity theft.
To detect, prevent, and mitigate identity theft in connection with Covered Accounts described in this policy.
Whenever the University receives or identifies one or more Red Flags with respect to any Covered Account, the University will determine and implement an appropriate response designed to mitigate against unauthorized transactions or other forms of identity theft. Covered accounts, includes Patient Accounts maintained by the Patient Care Centers of WesternU.
Appropriate responses may include, but are not limited to
(1) contacting the student, patient, or other customer, e.g., vendors;
(2) monitoring the affected account for evidence of identity theft;
(3) changing any passwords, security codes or other security devices that permit access to a Covered Account;
(4) reopening a Covered Account with a new account number;
(5) not opening a new account;
(6) closing an existing account;
(7) not attempting to collect on a covered account or not selling a covered account to a debt collector;
(8) notifying law enforcement; or
(9) determining that no response is warranted under the particular circumstance.
All University employees with assigned responsibilities relating to any Covered Account shall immediately report any identified Red Flags to the Identity Theft Program Manager who will determine an appropriate response. In determining an appropriate response, the Identity Theft Program Manager will consult with other appropriate officials of the University, such as the Chief Financial Officer (CFO), the Director of Financial Aid, the Executive Director of Information Technology, University Compliance, or General Counsel.
The Identity Theft Program Manager, under the supervision of the CFO, has responsibility for general oversight of the Identity Theft Program. The Manager shall implement appropriate training of all University employees with assigned responsibilities for any Covered Account concerning the Identify Theft Program and procedures intended to protect against potential identity theft. The Manager shall provide the CFO with periodic reports (including at least an annual report) that will provide summary information concerning identified Red Flags, any reported incidents of identity theft with respect to any Covered Accounts and recommendations for changes, if any, with respect to the Identity Theft Program.
Recognition of Identity Theft “Red Flags”
There are several categories of Red Flags. Although some Red Flags can appear harmless on their own, they may signal identity theft when paired with one or more elements.
The following are relevant Red Flags, in each of the listed categories, which employees should be aware of and be diligent in monitoring covered accounts:
A. Suspicious Documents
§ Identification (ID)document or card that appears to be forged, altered or inauthentic;
§ ID document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;
§ Other information on the ID is not consistent with information provided by the person opening a new covered account or presenting the ID;
§ Other information on the ID is not consistent with readily accessible information that is on file, such as a signature card or a recent check; and
§ Application for service that appears to have been altered or forged or gives the appearance of having been destroyed and reassembled.
B. Suspicious Personal Identifying Information
§ Identifying information presented that is inconsistent with other information provided (example: inconsistent birth dates);
§ Photograph or physical description on the identifying information is not consistent with the appearance of the person presenting the information;
§ Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a credit report);
§ Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
§ Identifying information presented that is consistent with fraudulent activity, such as
§ The phone number is invalid or is associated with a pager or answering service
§ The billing address is fictitious, a mail drop, or a prison
§ Social security number presented that is the same as one given by another person; has not been issued or is listed on the Social Security Administration’s Death Master file;
§ An address or phone number presented that is the same as that of another person;
§ A person fails to provide complete personal identifying information on an application when opening the covered account or in response to a notification that the application is incomplete
§ A person’s identifying information is not consistent with the information that is on file for them;
§ When using security questions (e.g., mother’s maiden name or high school mascot), the person opening the covered account cannot provide identifying information beyond that which is usually contained in a wallet or found in a consumer report;
§ A request to mail information contained in a covered account to an address not listed on file
C. Suspicious Account Activity or Unusual Use of Account
§ Change of address for an account followed by a request to change the account holder's name;
§ Change of address for an account followed by a request for new, additional, or replacement services, or for the addition of authorized users on the account;
§ A covered account is used that has been inactive for a lengthy period of time, taking into consideration the type of account, the expected pattern of usage, and other relevant factors;
§ Payments stop on an otherwise consistently up-to-date account;
§ Account used in a way that is not consistent with prior use, for example:
§ very high activity;
§ nonpayment when there is no history of late or missed payments;
§ a material change in purchasing or usage patterns
§ Mail sent to the account holder is repeatedly returned as undeliverable;
§ Notice to the University that a person is not receiving mail or account statements sent by the University;
§ Notice to the University that an account has unauthorized activity;
§ Breach in the University ’s computer system security; and
§ Unauthorized access to or use of person’s account information.
D. Alerts from Others
§ Notice to the University from an individual, victim of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.
E. Additional Red Flags to be aware of
§ Documents provided for ID appear to have been altered or forged
§ Personal identifying information provided is not consistent with other personal identifying information presented (i.e., Social Security Number (SSN) range does not correlate with date of birth)
§ The Social Security Number provided is the same as that submitted by another individual opening an account or existing student, employee, patient, or vendor
§ An individual who has a health insurance number but has never produced an insurance card or other physical documentation for proof of insurance;
§ Records showing medical treatment that are inconsistent with a physical examination or medical history as reported by the patient
§ Complaint/inquiry from an individual based on receipt of:
§ A bill for another individual
§ A bill for a product or service that the person denies receiving
§ A bill from a provider that the individual never patronized
§ A notice of insurance benefits or Explanation of Benefits for health services never received
§ A fraud or identity theft related complaint or question from an individual about the receipt of a collection notice from a collection service
§ A patient or insurance company report that coverage for legitimate service is denied because insurance benefits have been depleted or a lifetime cap has been reached
§ A complaint or question from an individual about information added to a credit report by the University, provider, or insurer;
§ A notice or inquiry from an insurance fraud investigator for a private insurance company of a law enforcement agency;
§ Mail sent to an individual is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the covered account
§ The University is notified by an employee, student, patient or vendor, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
§ Personal identifying information provided by the individual is associated with known fraudulent activity as indicated by internal or third-party sources used by the University. For example, the name, address or phone number on the application is the same as the address provided on a fraudulent application
Detecting Red Flags
The following protocol must be followed for opening new covered accounts, maintaining existing covered accounts, and accessing covered accounts:
A. New Covered Accounts
In order to detect any of the Red Flags identified above associated with the opening of a new covered account, University employees must take the following steps to obtain and verify the identity of the individual opening the account:
§ Require identifying information, including name, date of birth, residential or business address, driver's license or other photo ID;
§ Verify the individual’s identity (for instance, review a driver's license or other I.D. card);
§ Independently contact the individual to verify the new covered account;
B. Existing Covered Accounts
In order to detect any of the Red Flags identified above for an existing covered account, the University employee must take the following steps to monitor transactions with a covered account:
§ Verify the ID of the individual if they request information (either in person, via telephone, via facsimile, or via email by asking them to provide the identifying information on file);
§ Verify the validity of requests to change billing addresses with the individual; and
§ Verify changes in banking information given for billing and payment purposes.
C. Methods to Access Covered Accounts
§ Disbursement of information contained in covered accounts obtained in person requires provision of photo ID
§ Disbursement of information contained in covered accounts by mail can only be mailed to the address on file under the covered account
§ Refunds of credit balances can only be mailed to an address on file or picked up in person by showing photo ID.
§ Credit card information used in association with covered accounts must be maintained in accordance with the University’s Credit Card Processing Controls.
Responding to Red Flags
When a potentially fraudulent activity is detected, the University must act quickly as appropriate to protect the individual. In the event the University employee detects any of the identified Red Flags, the following steps shall be taken to respond to and mitigate identity theft:
1. Stop the billing/admissions process and require provision of additional documentation to resolve the discrepancy. Reporting employee shall notify his/her supervisor or designated authority of discrepancy for further instruction.
i. Collections Services will be notified and instructed to place a hold and flag suspected covered accounts in the appropriate clinical information system.
ii. Information Technology (IT) Department will be notified to lock suspicious covered accounts in the appropriate information systems.
2. The supervisor or designated authority will complete additional authentication to determine whether the attempted transaction based upon information available at that time could be fraudulent or authentic.
i. If discrepancy is resolved, re-verify information with the individual and continue with the billing/admissions process.
ii. If discrepancy is not resolved, all related documentation should be gathered and a description of the situation should be written utilizing the University’s electronic Incident Reporting Form. This information should be presented to a supervisor or designated authority for further instruction. The employee detecting the Red Flag must complete the Incident Report Form.
3. The supervisor or designated authority will contact the Identity Theft Program Manager to open a file on suspicious covered account for further investigation. The file must include the following information:
i. Copy of any and all documentation from the University department(s) supporting the report of suspicious covered account
ii. Complete an online Incident Report Form
iii. ID of any third party payer sources for the affected the individual, including but not limited to federal health or financial aid programs, which may be affected by the suspicious activity. This information is to include the individual’s name, account number, and other information as deemed necessary based on the type of identity theft being attempted.
4. The Identity Theft Program Manager or authorized designee will conduct an investigation to determine whether the attempted transaction was fraudulent or authentic. Depending on the nature and degree of risk posed by the incident identified, the Identity Theft Program Manager or authorized designee authority will:
i. Instruct the supervisor or designated authority to continue to monitor an account for evidence of Identity theft;
ii. Other appropriate responses and actions may include:
a. Determining that no response is warranted under the particular circumstances;
b. Canceling the transaction;
c. Terminating treatment or credit until the discrepancy is resolved;
d. Contacting the individual against whom the fraud has been attempted;
e. Changing any passwords or other security devices that permit access to accounts;
f. Not opening a new covered account;
g. Closing an existing covered account;
h. Reopening a covered account with a new account number;
i. Notifying and cooperating with appropriate law enforcement;
j. Determining the extent of liability of the University ; and
k. Notifying any appropriate federal agencies, insurers or third party payers.
iii. If a consumer report includes an initial fraud alert or an active duty alert regarding a covered account, the University employee must provide additional services to be billed to the individual covered account for which the fraud alert was issued.
5. A copy of the Incident Report Form must be maintained on file with the supervisor or designated authority and the Identity Theft Program Manager.
Covered Accounts include (1) any account offered or maintained by the University which is primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions, such as student loan or financial aid accounts; and (2) any other account offered or maintained by the University for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.
Red Flags include (1) alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; (2) the presentation of suspicious documents; (3) the presentation of suspicious personal identifying information, such as a suspicious address change; (4) the unusual use of, or other suspicious activity related to a Covered Account; (5) notice from customers, victims of identity theft, law enforcement authorities or other persons regarding possible identify theft in connection with a Covered Account; and (6) any other suspicious activity identified by the University as presenting a foreseeable risk of identity theft.
Identity Theft Program Manager is the University Risk Manager or such other official as is designated by the Chief Financial Officer.